Welcome to our KuppingerCole Analysts webinar, Navigating the End of SAP Identity Management, Future-Proofing Identity Security and Compliance. This webinar is supported by Pathlock, and the speakers today are Keri Bowman, she's Senior Director of Product Marketing at Pathlock, and me, Martin Kuppinger. I'm Principal Analyst at KuppingerCole Analysts. A little bit of housekeeping before we jump into our topic. So you're muted centrally, nothing to do around this. We will run two polls during the webinar, and if time allows, we will pick up the results during Q&A.
We have a Q&A session at the end of the webinar. You can enter your questions at any time.
There is, on the right-hand side of the screen, a control panel with the area questions and polls and others, so you can use that. And last but least, we are recording the webinar. And the recording, as well as the presentation slides, will be made available soon after the webinar.
With that, I'd like to raise the first poll. And this is one which I feel is very important, because when we look at our world of ERP systems and other line-of-business applications, and the need for, call it, Application Access Control, or Application Risk Management, or GRC, then the question is, and I think it also includes the IGA, or the Identity Management part, who in your organization is responsible for this across the various line-of-business applications you may have in place?
So are different departments, depending on the applications, or someone for SAP, someone for your Oracle world, or your Salesforce, et cetera? Or is it the SAP department? Or is it the Identity Management department? Or are it others? So looking forward to your participation in the poll. The more people participate, the better it is, because then we have more interesting, probably more meaningful results out of that. And with that, we look at the agenda. So it's a simple agenda, three parts.
The first part is, I'll talk a bit about that we are in a situation with this end of life of SAP Identity Management where it's time to act. But it's also the need to plan ahead. In the second part, Kerry will talk about tackling the challenges of the post-SAP Identity Management era. And in the third part, we will do our Q&A. So that's where we start right from now. First thing is 2025. So for some reason, I had some really nice background graphics. They just disappeared sometimes before the webinar. So it's just 2025. But we are in 2025. And the question is, what do we need to do now?
And what we need to do now basically is, we need to rethink this. We need to rethink our strategy. And so what we basically need to do a bit of weird PowerPoint behavior. What we need to do is, we have a situation where SAP Identity Management has the end of life announcement for a while. So it's 2027 is the target date. It's 2030 with an extended maintenance, leaving us at maximum five years plus. So basically, we could say we're January 2025. So it's almost six years. But that would be quite a bit of risk. We are in a situation where our SAP landscape is changing.
And usually also, or many organizations, or a lot of business ecosystems changing. So in the SAP world, we have to transition to HANA. In different facets, we have programs like SAP RISE. We see this change. So we see quite a lot of things going on there. We also have more applications for quite a while that reside outside of the traditional ECC environment. So they are really like whatever successful factors, et cetera. They have a different technical approach, and so on. And we also see that many organizations are using more point solutions in the LLB space for certain use cases.
So this ecosystem overall is changing. We see other applications coming in, more heterogeneity, both in the types of applications as in the deployment models. We see the audit focus growing beyond financial systems. So when we look at the audit needs around technology risk, then it's surely a bit of a broader focus. It's still that clearly the main audit focuses on the financial data, on the numbers. But there is more happening. And we need to get better here. We need to also, I think, from a security perspective, need to get better.
Because at the end of the day, all these systems are potentially under attack. So we need strong access controls. We need a strong, strong focus here. We also see the upcoming SAP Access Control, or many call it still GRC, Migrations and Formulates SAP Access Control. I think I speak with more people who talk about SAP GRC instead.
So here, both terms are used. Again, there's also this shift, in this case, primarily regarding the platform it runs on. But potentially, there might also be functional changes. So let's see how simple or not simple that migration finally will be. I'm always a bit reluctant regarding simplicity of migrations, maybe being around too long in IT.
And you also have the situation, when you take the SAP strategy, then you have a, for a longer period, you will have a concurrent operation of SAP Access Control, which is really more on the sort of the core ERP side, on the dev side, versus Cloud IAG adding our own services. And so you might have more than one system, and you need to think about what is the right strategy around us. So do you want to go down that path, or what is what you intend to do here? And then let's look at 2030. 2030 is the year when the extended maintenance ends. And realistically, 2030 is closer than it feels.
So there's relatively little time left left. And what it requires us to do is, we need to think about, or start early to do things properly. So a proper planning starts with as late as now in 2025, unless you already started this, focusing on the strategy. And this is more than just saying, OK, what's the next tool? The strategy is more.
It's IAM, IGA strategy. So how will your identity management or IGA look like? Thinking about maybe your identity fabric of the future, and what all this affects, and how different tools will come together. It is about the strategy for your application access governance, or application risk management. So what is the right strategy here? Having two tools for SAP, having other options in the market, thinking about what is the right thing to do here? So how should you look, and how do these things come together? Think about these strategic aspects. Put it into the context of an identity fabric.
Beyond the strategy, it's about the planning phase, which is next. So focus this year on strategy, maybe.
Next year, going into the more detailed planning. Blueprint and roadmap, the architectural planning, the requirement specification, really going into detail. Think for requirements beyond just what you need today. Think about what you may need in the future. And then select your tools. Run a proper tools choice. And a proper tools choice involves a number of elements, like doing a proof of concept, testing it, being very thorough. And it depends very much on a good requirement specification that takes into account everything.
So this is something you need to do in a broader group of people that are responsible for each and every of your line of business applications, not just the SAP part, that come from the identity management field, that come from security and beyond. And then that leaves just a little bit of time for the implementation, which means build your new environment, migrate.
Also, usually not super easy. Then you can improve from there, testing, optimize, I think. And around 2030, you're ready for a continuous optimization. It's a program, not a project. So even while we say, OK, 2030, still a lot of time left, it's not that much time. If you run this project properly, then it will take you a longer time. And better take your time, do it thoroughly, instead of, at the end, ending up in a rush. So this is the way you should think about this. And there are a lot of things which can go wrong in an identity management project.
At the end of the day, we are talking about something that is not part of an identity management project. It's about access controls in a specific environment. And this is a slide I brought up a couple of times before, looking at the key success factors for IAM projects. And when you look at such factors, then at the end of the day, we want to deliver on time, at batch, within quality, complete and distinct, meaning having little overlaps with other tools. So trying to minimize the number of tools we end up with. User-friendly, extensible, we can grow it, we can react on new demand.
That requires that we have a good requirements analysis, not only for what we currently see, but also what we expect to happen from the regulatory side. What do we see as future trends? Talk to the analysts, talk to the experts that look a bit into the future. We need a vision, a blueprint. We need program and project planning, management, budgeting, stakeholder management, all that stuff. We need to talk about people and organizations. Will this remain the same or will it change, especially when you talk with a number of different stakeholders for different line of business applications?
How should it ideally look like? To be honest, I personally believe if there's a department that has SAP in its name, regardless of how relevant SAP is for your organization, it's wrong. An organization never must be structured along tools. It must be a structure along the business requirement, the business processes, the business organization. So there might be something for all your business applications over different types of business applications, but don't name it after a tool. That's wrong. You need to define processes. You need to revisit processes.
The processes you've implemented five years ago, 10 years ago, 15 years ago, probably need some updates. You need policies. Then you can move into the implementation. Only them. That's the point. Only them. Do the other things first before you go into the implementation. And do it as I've mentioned before. Do it properly. So right now, let's talk about 2040. And you may ask, why 2040? Because we need to think beyond. So we talked about this project. We talked about how long will this project last.
And what we have here is we have a project that will take us, on average, probably three to five years. Maybe you do it in a year or in two or six months. Lucky you. Then probably the time you need for improving, et cetera, might be a bit longer. But then you have 10 plus years of lifetime. So what we are doing today is not for 2025. It's not for 2030. It's for 2040 and beyond. So that's also, again, going back to the requirements. We must think ahead, way ahead for what we do. We must think about how might the world change and how can we deal with changes.
And currently, at the starting point, I talked about all these changes coming in. There are a lot of things going on. So think about what may happen and how can you build something that is sustainable for the future. And future always is not, we are not sure how it exactly will look like. So we need to be prepared for change. So we start a program, we implement. And then we have continuous improvement. We have operations. And the question is, how must it look like?
In 2040, ask yourself that question. This sounds a bit radical, but exactly this is what will help you to do the things right. Not building for 2030, not for 2025, but for 2040 and beyond. There are many factors that impact this decision. So the change in your SAP environments, how will this look like? Where do you stand with SAP RISE? Will everything suit your entire things? In time to add, how will your change look like? What is more generally the general change you expect to see in the line of business application strategy and usage?
So will it be more a monolithic vendor strategy or a heterogeneous vendor strategy? What is to be expected here? How do you want to handle application access, governance, or risk in the future? What about the deployment models? Where do you intend to go in the foreseeable time? What might be the options that you need to support that might be multiple? How does this fit your IAM strategy or IAM fabric, identity fabric? What is happening in the IGA market? We see a lot of change here. We see vendors adding some level of application access governance to it.
We see application access governance vendors having an eye on the IAM market. So we see change. We see innovation here. Specifically also, it was in IGA, we may see that this market changes quite a bit. And last but not least, you also should build something which helps you getting ahead. Which helps you getting ahead of the auditors. So don't go for the minimum requirements you need to meet for your auditors today. Think about what do you need to do so that you can serve the auditors well, even when they start asking different questions.
That means questions about exit control and other types of applications, for instance, beyond your core finance applications. More questions that go deeper into whatever the cyber security controls and other things. What do you do here? How can you prepare for that? So these were my thoughts. I want to raise a second poll before I hand over to Kerry. The second poll is about what is, which is your biggest challenge in application access governance? So are these manual processes in managing the access too much, which is not automated? Is it serving audit tasks in a manual manner?
Is it dealing with different types of security models across line of business applications? Or is it just a permanent regulatory pressure? Or is it cross applications aggregation of duties so that you say, okay, I need to release SOD controls that spend multiple applications, different entitlement models, et cetera. And how can I handle that?
Again, the poll is open. I'm really curious about your perspectives on that. And with that, I hand over to Kerry, who will do the second part of our webinar before then I will move to the Q&A session.
So Kerry, it's your turn. Thank you, Martin. Similar to how Martin, I think, did a really great job of setting the stage with what you can think of in terms of technology changes that are coming very quickly, where you have to make decisions around how you as an organization will identify and select the specific technology that's right for you and what the timing of your transition will be and how you plan ahead. I wanted to talk about it from the perspective of when you're tackling those challenges, as these technological changes come about, what can you do on the compliance side of things?
So the same way that you're future-proofing with a new technology, how do you future-proof with the compliance approach that you're taking and the maturity of your organization? And so to talk about that, I always like to start with a standard governance maturity so that we're all speaking the same language, essentially. And so whenever I talk about this, it's very similar to what you see in COVID or CMMI.
So a basic maturity model is that as we move upward and towards the right, we're becoming more mature as an organization and we're also becoming more efficient and more effective with our controls and our compliance metrics. So the first thing we need to do is document our policies. We need to move away from ad hoc tasks and move towards detailed, repeatable processes and procedures.
So when we're talking about anything related to identity access management or identity governance, this is where we're identifying for our SAP system and any interconnected SAP systems or cloud applications that are in scope for us, making sure that we understand exactly what those governance and management processes and policies are. Have we very clearly documented those and can we enforce them? Because the next step is that automation that we want to secure. So these are things that we can do like HR-triggered user creation.
This is something to keep in mind as you are looking to move forward, for example, from SAP IDM. Do you have an interest in connecting to an HR source and automating some of those join or move or leave or instances?
Similarly, for access request approvals and provisioning workflows, automation of those, your access certifications, these are your user access reviews. Are you looking at automating those within your SAP environment and possibly across the rest of your application landscape where you're required to do that for compliance and regulatory reasons? And then as we continue to move up and towards right now, this is where we start to move beyond the basics of identity management.
And as Martin called out, some people today still refer to it as SAP GRC or SAP Access Controls if you're speaking of the specific product. But for whether you have access controls or a different solution like PathLock, this is where you start to see that maturity curve go upwards. And this is where we're looking at layering and risk into everything that we do. So going beyond just the provisioning and automation of access and the automation of access certifications, understanding how risk impacts those decisions and those applications of access.
So are we looking at separation of duties and sensitive access? When we're doing provisioning, are we preventatively performing an SOD check and providing those results to customers? It's really interesting to see the impact that that can have. At one customer, they saw a 40% reduction in the number of tickets that were submitted just because they were able to upfront notify the person submitting the ticket of the SOD risk that would be incurred if they were to request that access.
So it made the business users themselves far more aware of what they were asking for and the risk that that was exposing them to as part of the organization. And so that actually, they saw a behavioral change associated with that. So not only are we becoming more efficient and more compliant, but we can also become more risk aware as an organization as a whole. Similarly with certifications, it is a great thing to be able to automate certifications and to make that simpler for the end reviewer.
But again, if we can layer in risk into that, not only is it going to be a more effective review, but that additional information is going to ensure that the reviewers are making informed decisions. So there's another, again, I love a good statistic because it helps to build a business case when you're trying to explain to leadership or to your team members or those who are having a process change why it's so valuable to go ahead and make that change.
And for certifications, for example, if you have a typical reviewer who is reviewing users underneath them with access assignments, the typical revocation rate is something like two to 3%. So I review access and the number of line items or roles that I remove from someone during my review, something two to 3%. If I simply give that reviewer the information of have they used this access? So have they executed it within a certain timeframe? And is this access causing a risk for them? That revocation rate goes 10X. Now it's 20 to 30%.
And that's because I have given them that additional contextual information to make a decision where they can very easily justify it. They haven't used the access and it's exposing us to risk as an organization. I can very easily make a case to remove that access. It's simple, it's efficient, and it's effective. So that's where we can see value in maturing our processes.
Yes, it involves an additional step and it may involve training, but we can gain a lot out of it as an organization. And then similarly, restricting elevated access. So not only are we being more aware when we provision access to users, but following that least privileged model and restricting standing access from users so that instead, if it's sensitive access, they are requesting it and checking it out for a temporary time-bound period. And we're reviewing those access, what they performed with it afterwards, the change logs.
So things like this, again, are moving us upwards in the maturity scale. And we're going kind of beyond the basics of identity management with that layering of risk through everything. It allows us to make more informed decisions to make an impact in how the business operates and to, as our usual goal, reduce our risk exposure as an organization and manage it. And then kind of the last step there is going towards optimizing all of this. How do we take all of these steps and continue to further improve them?
So in any capability maturity model, what you're looking for is you go from ad hoc to documented and repeatable to automated and then to optimized. And so when we talk about continuous controls monitoring, that's really the optimized step here. This is where we quantify risk. So in the previous step, we're identifying potential risk in the organization and we are monitoring for usage. But with risk quantification, we're actually identifying when that risk has occurred, who performed it, and what that dollar amount exposure is for the business.
So we're getting very specific with it rather than potential. And then that automated control management. For some of you, you may be familiar with SAP process controls or product like Pathlox AVMRA and CCM. These are all focused on control management. So what is the control that ensures that your risk is being managed? And is that control operating effectively? Because if it's not operating effectively, then as an organization, we are not being compliant like we need to be.
And so there are solutions out there that can help you to automate that piece of things, which is really closing the loop. We have identified risk that's provisioned to users. We have mitigated it with a control and now we're monitoring that control actively and we're monitoring those risks and quantifying them actively. So really trying to continue to mature the organization. So as you're thinking about how your technology may change and what you're looking to implement, I would think about all of these pieces in the compliance landscape.
How are you going to address all of these things and mature your organization as part of your decision? So if you are trying to plan out for 2040 and an identity solution that you're going to have that far into the future, we should be thinking about how we're going to manage all of these compliance measures throughout that same time period and how they integrate with the solution that we select. So what are some actionable steps? Think about governing for your ERPs and beyond.
So not just your SAP system, but applications that are also part of your compliance landscape, especially with so many cloud applications being introduced. We know it's very common now for organizations to be moving to SAP Ariba, to Fieldglass, Concur. They may have Salesforce. You may have Coupa, Blackline, Manhattan Warehouse. All of these are very common applications that are used in conjunction with your typical SAP ECC or S4. So thinking about how you're going to manage those as well. So how are you going to manage risks? How will you provision access?
Will you be looking to do an integration between the identity piece of things? So that second step, the automation of access and the next step, access governance, the risk management piece of things, and also your ITSM solutions. Do you have a ticketing solution that's in place that you can integrate with this and close the loop? So from the moment that access is requested to when it's provisioned and risk is managed and monitored, how are you doing all of that and to integrate that seamlessly?
Those are questions I would be asking myself as I'm selecting the technological solution that I want to implement. Similarly, again, thinking of those user access reviews, am I just performing these or can I layer and risk other contextual information to make them more valuable?
Also, how am I managing those certifications beyond just my end users? So I have employees, but I also have contractors, and this is really expanding in terms of what we're seeing with organizations. Significantly more contractors and third party vendors that they're having to manage for compliance purposes. So how will you be doing user access reviews for those? And is the solution that you're selecting capable of performing that?
Similarly, micro certifications for point in time changes. These are becoming more and more valuable. It's actually perfect timing. Martin just posted a blog and it actually called out a point around this, around micro certifications. So what's more valuable than doing a twice a year, very large user access review? A point in time review. Someone requests new access.
Yes, we do a typical review of that and determine if that access is appropriate for maybe changing job responsibilities, but also doing a proactive look at everything else that they're assigned at point in time and determining if at that point anything in there is stale or no longer needed and going ahead and revoking that. With micro certifications, you can actually see a 30 to 40% revocation rate because people are more aware in that moment of exactly the access that someone has and why they have it. And they're more likely to do that revocation of access.
So things like that are available in modern identity and access governance solutions. So taking that into account as part of your decision making. And then similarly, elevated access management. So this is that firefighter or emergency access. Thinking about all the applications you may want that for. So not just, again, ECC or S4, but do you want that for Ariba? Do you want that for Fieldglass? Do you want that for Salesforce or another application that you have out there? So identifying where you may want to leverage that temporary time-bound access, ensuring that you have change log support.
So the ability to see what someone did when they had that access and to sign off on it to show that evidence to audit that is an IT general control. So being able to address that in an automated manner is really valuable. And there's a lot of options out there. I call out clear notation of high-risk activities because with the advancements that we've made in elevated access management and access governance, we have a lot of capabilities now.
Like, for example, really simplifying the way that those change logs are presented to end users to make it easier for them to do that review effectively. And one of those things is calling out high-risk activities.
So again, these are actionable items you can be looking to implement as part of your change. Actionable reports and dashboards, built-in trending analysis and reports that are specific to the level of user that's utilizing them. A detail level report for a basis admin or a security admin is really, really valuable, especially when it's actionable. They can see what needs to be performed and they can see that within the screen versus having to export something to Excel, make their own dashboard, maybe put it in Power BI or Tableau to try to get valuable information out of it.
If you can provide them up front with reports and dashboards that help them do their job, that's going to make them more efficient and effective. And similar to that, if we think about the executives, so if we think basis to boardroom, we think about executives, what are they interested in? And can we create reports and dashboards that are going to be effective for them to monitor the health and wellness of the business as a whole?
And things like trending are really useful for this because then they can see an overall picture of where they were maybe a month ago or a quarter ago versus where they are today. And that's going to make it far more effective for them to be able to sign off on those risk processes and procedures that the companies put in place if they are someone like a CISO or they are responsible for the security aspect of the business, the cybersecurity aspect. So thinking about all of these things again, just functionality that is out there, it is available.
And as you're reviewing for the solution that you want to move forward with, things that you can keep in mind. And then lastly, continuous monitoring.
So again, this is that quantification of risk, clear audit trails, showing operational effectiveness, and then things like configuration monitoring for event notification. These are all things that can be implemented to help optimize your governance maturity and become more compliant as a business. So keeping all of those in mind. And I always like to show this in action.
So as we talk about making a change in the process and technology that we're using and possibly implementing more functionality, I find that it's always really helpful to be able to show people how it will change their day, how will your day get better by implementing some of these things. If we think about how we manually perform controls today, there are so many steps for defining that control, manually executing it, identifying if it was completed correctly, identifying exceptions, investigating it, very, very many steps.
But with the technology that's available today, we can significantly simplify and automate this. So we not only reduce the number of steps, but we reduce the amount of time that it takes and the number of people that must interact with that process.
So again, I love a good statistic, a really interesting one. A company that was implementing continuous controls monitoring reduced their SOD reviewers time by 96%. And that's because they no longer had to review every potential risk. They were reviewing the actual risks that were performed, those quantifiable risks. And they were monitoring for 100% of those transactions that were occurring in their SAP system. So by doing that, they've saved 96% of the time that their team members were previously having to review things and just focused in on the 4% of time when something occurred.
So not only are they more effective in their review, but they've gained that time back to do their day-to-day job versus having to do these compliance efforts for significant chunks of time throughout the year. So you can see really valuable benefits like that. If you're looking to implement these. And to kind of wrap up with a summary of what some of these look like. So we've talked about technologies you may want to implement, timelines that make sense for that. And I've kind of called out how you can mature your organization as part of these changes.
We don't have a choice about our technology changing in this case with some things going into maintenance. But what we can do is try to gain the most benefit out of it possible. And so these are typically areas where I try to bucket my benefits into these when I'm explaining or determining what value I can get out of my different options. So the first thing is personnel costs. How can I leverage the automation I'm looking at to streamline my tasks and create valuable employee time? I just gave the example of saving 96% of time that was previously used for reviewing controls.
That is time going back to my team members where they can actually perform their day-to-day business job responsibilities. So that's really valuable for them.
Similarly, if I think about what my IT costs are, what is my manual workload for my IT teams? And what repetitive tasks that are related to audit preparation can I take off their plate? Last year it was said that more than 60% of companies said that they were understaffed in their IT department and more than 50% of them said the number one area of expertise or knowledge and skill set that they were missing was identity and access management.
So when we're selecting a new identity solution to take over for those that are going into maintenance, we should be thinking about the one that's going to be most effective for addressing our identity and access management needs. Because if we can automate that for our IT teams, then that's going to release some of that burden of us having less staff to perform that and less people with a skill set around that. And also taking those day-to-day keep the lights on tasks off of our IT teams to-do list, what that allows us to do is to upskill them to do more business projects.
So those business value add projects, we can allot resources to do those things instead of something as simple as take a ticket and manually go assign access to someone. So that's where we can see a lot of value. And for audit preparation, if we are automating provisioning, risk checks, et cetera, those reports are all housed within those tools. And so because they're there, it simplifies where audit goes to get their audit materials.
And again, taking that off of IT's plate of having to do that. We think about consultant costs, consultants, audit staff, and third party. A lot of times we're doing this to supplement our teams. So if we think about those team members where we're saying we're understaffed and we don't have a specific skill set like identity and access management, what do we do? We usually will go outsource that or find someone via a contractor or consultant who can help us with that. So being able to lower those costs or if not lower them, reallocate them to other business value add projects.
That's where we can see changes in our expenses there. Incident response and remediation costs, so the faster that we can identify a potential incident and respond to it, the lower the potential risk for us to have costs and remediations associated with that. So we want to be as secure as we can, but also ensure that we do have a response plan in place should anything happen. And then the last one here is compliance fines and penalties. They say that an ounce of prevention is worth a pound of cure.
And this is really true because you're not only looking at if you do not have these processes and things in place, potential fraud occurring or lost funds to outside sources, but there's brand damage associated with that. In the case of certain things, there can be suits that are lawsuits that are associated with that due to failure to comply with things. So these are things that we want to avoid. So these are less about hopefully not taking out costs that are existing today. We hopefully are not paying fines and penalties today.
But the goal is to avoid having to do that in the future through having really compliant processes in place with our solution that we select. And then the last thing I would leave you with is that I think it's really important that no matter which solution we select as we move forward, that we're really in agreement across the organization. We see a lot of silos that occur between internal audit, between IT and between the business. And at the end of the day, any solution that we select, the goal of it should be to improve the operational effectiveness of all of those teams.
And so having everyone involved in the selection of that from the beginning and the creation of those processes and the implementation of them is going to ensure that as an organization, we are all moving in the same direction together. And we are all working towards the same end goal with valuable results at the end for each of us. And these are some of the results that each of these teams can see through execution of projects like this. So audit can become faster and easier to perform. We can see greater compliance in terms of the regulations that we have to meet.
For IT and security leadership, we can follow that least privileged access model. We can be more protective of our sensitive data and we can continuously monitor for risks that are occurring. So we have more security that the access that people have is being monitored and we would be proactively notified if anything was going on so that we could address it at point in time. And then for our business, they can confidently say that they don't have financial reporting issues. They're able to pass those audits and show that their controls are operating effectively.
And it's even the little things like they're able to more easily get access for their users. Something really simple to keep in mind is if you can just automate the provisioning of access and take that process from two weeks to two days or 80 hours to eight hours, you've just saved the business two weeks of a new employee sitting on the job unable to perform anything. So that's a significant cost to the business that is returned to them. And then also that person can now become immediately a productive member of the team.
So those are the different types of benefits that we can gain across the organization if we take all of these things into consideration as we select our tools going forward and we plan out where we want to be in five, 10, 15 years. And so with that, I am actually going to wrap up my slides and turn it back over to Martin. Thank you very much, Carrie, for all these insights. As mentioned before, it's time for Q&A. And to all the attendees, we have questions. It's the latest time to enter them now. You can enter.
You also have the option for upvoting so you can hint on which of the questions you feel are most relevant for you to get answered. And so we directly move into the Q&A session then.
Yeah, so the first point, or the first question I have here is, but SAP has recommended Microsoft Entra as an alternative to their SAP Identity Management. So this is a one-on-one, one-to-one match, or is there anything you would recommend being aware of?
Carrie, how much time do we have? So I think it's a question for where we could talk hours about. Because there's a lot to mention. So I think, but when we are just a bit realistic, SAP Identity Management has been around for two decades, more or less. Microsoft Entra ID Governance, which is the precise term we should look at. Microsoft Entra ID Governance, the component that is positioned as a replacement is a relatively new tool. One is traditional on-premises. The other is SaaS. They have very different approaches at the end of the day. So it's not a one-to-one.
There are things that are different. There are things that are done differently. And so at the end of the day, it is probably something where, if you're realistic and we move to this live answer, then you see, okay, also the answer, where you need to be very thorough in your analysis about what do you have? What are your requirements? What do you want to do in future? So this is the way I strongly recommend looking at this. So that would be the way, as I've said, which appears to me the best approach.
Carrie, anything you'd like to add to this? No, I think that's great. I would want to create essentially a list of what my must-haves are for my existing SAP IDM system that I need a one-to-one match for. And then I would identify if Microsoft Entry Governance is going to meet those needs for me. And like I said, I would also assess if there's anything that's a nice to have that I would want to add onto that. So something like risk management, if I want to include that in there, if that's a decision point, I should be aware of it.
So yes, I think that is a whole topic in and of itself of how to plan and select your vendor that you want to go with. The vendor selection is an entire process in and of itself. But I think you covered all the highlights there.
Okay, great. And maybe one thing to add from my end, one thing to add is Entry ID Governance is really the IGA solution. So it aligns with the application access tools and you need to look at will you move to an integrated strategy what is the strategy on one side what is the strategy on the other side. So it's really a more complex question to answer and don't underestimate the complexity here.
Okay, next question. So the next question we have here, and by the way, one great place to discuss everything around identity management is our upcoming European Identity Conference in Berlin. But maybe to the next question. We looked at a timeline for implementing a replacement solution which left a bit of time.
So, but I also looked at a lot of experience from a project. But then the question is how much time does it take to implement a governance program like Kerry described? And so the first part was me, the second was Kerry describing that. And what do you recommend doing implementing the governance program at the same time or separate from your IDM project?
Kerry, I leave this to you at least for the first part of the answer. So I think it depends on what your budget and your timeline are. But I would definitely recommend to assess if you can do them at the same time because if you're looking at implementing a compliance program or you have an existing compliance program and you are changing the way that you manage identities and you govern them whether that is a change in the tool or the business processes, that's going to have to be accounted for in your compliance program.
So at a minimum, you need your compliance team, whether that is auditors or a specific compliance team or internal or external audit. They do need to be a part of that decision-making process from beginning to end. They need to know the solution that you've selected. They need to know the processes that you're putting in place. Anything that may change in the way that controls need to be written and reviewed for audit purposes.
So at a minimum, they need to be informed and a part of that process at each step so that they know what you're doing, what's changing and what they'll be looking at going forward. But I always like to say again, we may not have a choice about making changes, but we can make the most of it. If they're already going to be involved, I would look at what else we can do to enhance and mature our governance. So do they have some nice-to-haves that they'd like you to consider when you're looking at your identity solution that you're going to select?
Or do they have some recommendations and things that are of importance to them? So that's what I would do is minimum they have to be involved, but I think there is an opportunity there to gain some efficiencies and also some additional value by asking them what more we could do with the tool that we select.
Yeah, exactly. And what I'd like to add, so basically you have two scenarios. The one is you trust big quotas need to replace SAP Identity Management or you need to do both. You need the governance program, you need that organizational infrastructure and you need to replace. If you want to run the project right, the technical side of the project, then you need the organizational side. And I had this on one of the slides. I had this processes, policies, organization things. You need to have this in place.
So you need to do it in somewhat in parallel, even while they're definitely overlaps, but not exactly the same teams or you're already there, but then even you should reconsider is this organizational framework is this entire thing in the right scenario or do you need to change something? So this is what you should basically do.
Okay, next question. So we have a couple of other questions here. Maybe one relatively simple question to start with. It was at the beginning of the presentation. What is the timeframe for SAP Identity Management changes?
Simple, 2027 is the end of life and there's an extended maintenance period until 2030. So basically it's in a little less than three or in a little less than six years from now when you definitely need to be done. That was an easy one. Next one. This is a good one also I like. Realistically, how much cost savings could be attributed to disposals when considering the effort of the projects required to implement them?
Carrie, you talked about the cost changes. So I'll leave this to you.
Yeah, so this is actually one of my things that I really enjoy doing with customers, which is putting together the business value case and actually doing the business value cost justification. So if you think about whatever you're implementing and the process changes that go along with it, you can get quite granular. So if you think about the project that it's going to take to implement a new solution instead of IDM, there's a significant amount of cost associated with that. I would look at everything you are implementing.
So are you implementing something that is going to automate the cost or are you going to automate your access provisioning? Are you going to automate certifications? Are you automating elevated access management, continuous controls monitoring? So I would be going down the list of every functionality that I'm implementing. And then I would identify how that is going to make it different from what I do today.
So if, for example, today I do use an automated solution for someone who makes a request, there's an automated workflow that sends it for approvals and then does the provisioning. That's fantastic. Am I implementing something like HR triggered, automated, join or move or leave or workflows? Because if so, then I can look at historically how many tickets I have coming through that that would automate for me. And from that, I can derive an amount of time savings and the people involved. And then I can get my dollars from there.
So I can work my way backwards into the time savings for different departments, audit, IT and business. And then I can also from there extrapolate out the cost that I'm saving. So that example that I gave of access provisioning, if you're going from manual and say two weeks to do something to automated and now it takes two days, you not only get to calculate the cost that that would save the business, that is essentially eight business days that you've saved that employee from sitting there not performing anything. So that's an eight day cost savings for someone.
And then also the time that it would take the IT staff typically to manually chase down approvals and do the provisioning and then take that and multiply it by the total number of tickets you get every year for that. So that's how you can determine the cost associated with it and the cost savings, sorry. So I would just take a very detailed approach step by step. What processes are you implementing? How will that change from what you do today? What is everyone that that step will change for and what's the time it will change for them? And then extrapolate costs from there.
Okay, Carrie, thank you. And maybe before we move to the next poll question, to the next question, we have maybe have a quick look at the results of the poll. So I haven't figured out, we have a new tool for these webinars, how to display the results on the screen. But basically the one question was about the biggest challenge in application access points. And 25% said it are the manual processes in managing access. While the different security models, audit tasks, regulatory compliance were all relatively equal. And for the other poll question about responsibility, the maturity is 38%.
So there are different departments that are responsible for application access. And there's a lot of control for different types of line of business applications. I'm not a big fan of that scenario, to be honest. I think also with respect to the governance process we just discussed, et cetera, there should be quite some alignment. It can't sprawl. I just don't think we should let it sprawl. Then IAM department, SAP department are following other approaches. Which have some sort of mixed or maybe lacking environments.
With that, back to the questions. I think we at least can pick one more question. So that's also, I think, an interesting one. And this is, does this entire scene fit into the overall security architecture? To make a little bit of an advert for what you just said recently, just last week we had a webinar and it's available as a recording, which was around the updated identity fabric and the updated identity management reference architecture of Kubernetes call analysts.
And at the end of the day, this is all part of a bigger framework where you need to think about what is really important for what I need to do for identity management across all these different areas. So I would say it's an essential element.
IGA, segregation of duty, within the broader, what we call identity fabric. So as I said, it's available the recording of the recent webinar. Just have a look at it.
Okay, I think we're almost done then with what we have here. If there's anything you'd like to follow up, we have the information on the slides about the speakers. You can easily reach out to us if it's via LinkedIn. So don't miss this opportunity. And with that, I think it's time to say, thank you to everyone for listening to this Kubernetes call analysts webinar, for PASLAC to support it, for Kerry about all the insights provided, for you for all the questions and the interaction. So thank you very much. Thank you everyone.
